Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-31857

enable --ssl-verify-server-cert by default

Details

    Description

      The summary says it all, let's get a secure-by-default connection by enabling --ssl-verify-server-cert by default.

      Attachments

        Issue Links

          blocks

          Task - A task that needs to be done. MDEV-28634 Client's --ssl-* options (without --ssl-verify-server-cert) are silently ignored if TLS is not possible

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          causes

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32473 MariaBackup requires disable-ssl-verify-server-cert

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-33430 Command line client error ERROR 2026 (HY000): TLS/SSL error: Server certificate validation failed. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Error 0x800B0109(CERT_E_UNTRUSTEDROOT)

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. MDEV-36500 Passwordless --ssl-verify-server-cert

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. ODBC-421 Certificate verification option should be on by default

          • Major - Major loss of function.
          • Closed
          is blocked by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-31856 use ephemeral ssl certificates

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-33396 main.user_limits fails sporadically with CERT_E_UNTRUSTED_ROOT

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-36663 Semi-sync Replica Can't Kill Dump Thread When Using SSL

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            serg Sergei Golubchik created issue -
            serg Sergei Golubchik made changes -
            Field Original Value New Value
            serg Sergei Golubchik made changes -
            serg Sergei Golubchik made changes -
            Fix Version/s 11.3 [ 28565 ]
            serg Sergei Golubchik made changes -
            Fix Version/s 11.3 [ 28565 ]
            serg Sergei Golubchik made changes -
            serg Sergei Golubchik made changes -
            julien.fritsch Julien Fritsch made changes -
            Priority Major [ 3 ] Critical [ 2 ]
            serg Sergei Golubchik made changes -
            Assignee Sergei Golubchik [ serg ]
            serg Sergei Golubchik made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            serg Sergei Golubchik made changes -
            Status In Progress [ 3 ] Stalled [ 10000 ]
            serg Sergei Golubchik made changes -
            serg Sergei Golubchik made changes -
            serg Sergei Golubchik made changes -
            Comment [ I'm thinking that cert validation can be auto-disabled for a case when
            * the user has no password (but a password-using plugin, not unix_socket or gssapi)
            * client presented no certificate to the server

            this is an insecure case anyway, anyone can connect to the server, SSL or not, so verifying server's certificate makes minimal sense. And it might significantly improve the compatibility for users with accounts w/o a password. Supposedly their security expectations aren't high. ]
            serg Sergei Golubchik made changes -
            Assignee Sergei Golubchik [ serg ] Oleksandr Byelkin [ sanja ]
            Status Stalled [ 10000 ] In Review [ 10002 ]
            sanja Oleksandr Byelkin made changes -
            Assignee Oleksandr Byelkin [ sanja ] Sergei Golubchik [ serg ]
            Status In Review [ 10002 ] Stalled [ 10000 ]
            serg Sergei Golubchik made changes -
            serg Sergei Golubchik made changes -
            Status Stalled [ 10000 ] In Testing [ 10301 ]
            serg Sergei Golubchik made changes -
            Assignee Sergei Golubchik [ serg ] Alice Sherepa [ alice ]
            serg Sergei Golubchik made changes -
            serg Sergei Golubchik made changes -
            ralf.gebhardt Ralf Gebhardt made changes -
            Labels Preview_11.3
            elenst Elena Stepanova made changes -
            serg Sergei Golubchik made changes -
            Assignee Alice Sherepa [ alice ] Lena Startseva [ JIRAUSER50478 ]
            serg Sergei Golubchik made changes -
            Fix Version/s 11.4 [ 29301 ]
            Fix Version/s 11.3 [ 28565 ]
            julien.fritsch Julien Fritsch made changes -
            Issue Type Task [ 3 ] New Feature [ 2 ]
            lstartseva Lena Startseva made changes -
            Status In Testing [ 10301 ] Stalled [ 10000 ]
            lstartseva Lena Startseva made changes -
            Assignee Lena Startseva [ JIRAUSER50478 ] Sergei Golubchik [ serg ]
            serg Sergei Golubchik made changes -
            Fix Version/s 11.4.1 [ 29523 ]
            Fix Version/s 11.4 [ 29301 ]
            Resolution Fixed [ 1 ]
            Status Stalled [ 10000 ] Closed [ 6 ]
            wlad Vladislav Vaintroub made changes -
            wlad Vladislav Vaintroub made changes -
            Lawrin Lawrin Novitsky made changes -
            ParadoxV5 Jimmy Hú made changes -
            bnestere Brandon Nesterenko made changes -

            People

              serg Sergei Golubchik
              serg Sergei Golubchik
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.